I read this article: http://jeremiahgrossman.blogspot.com/2007/01/gmail-xsrf-json开发者_JAVA技巧-call-back-hackery.html
And I tried to use the technique, but it seems to fail on (at least) most browsers I tried. Basically you return JSON on your site and someone else does a <script src="domain.com/response.php?json"></script>
and then you setup your own object/array constructors to steal the data.
Is this still viable with modern browsers? Should I use tokens to prevent this?
No, the [] constructor is no longer overrideable, and setters are no longer called for object initializers. See http://www.thespanner.co.uk/2011/05/30/json-hijacking/ and Is JSON Hijacking still an issue in modern browsers? .
Is this still viable with modern browsers?
Yes. And browsers are not the issue.
Non-browser applications can make HTTP requests, also. Applications like curl
can probably be used for this kind of thing. Or you can write something in Python using urllib2
to do CSRF's. You can easily fake out responses of all kinds if the framework doesn't properly include CSRF tokens.
Should I use tokens to prevent this?
No.
You should find a framework that provides you the support for handling this.
精彩评论